This chapter explains the difference between anonymity and pseudonymity. Note that defining terms is always a difficult process because a majority consensus is required:

Anonymous connection: A connection to a destination server, where it has no ability to discover the origin (IP address / location) of the connection, nor to associate any identifier [1] with it.

Pseudonymous connection: A connection to a destination server, where it has no ability to discover the origin (IP address / location) of the connection, but it can be associated with an identifier. [1]

In an ideal world, perfection would be achieved by the Tor network, Tor Browser, computer hardware, physical security, the underlying operating system, and so on. For example, in this utopia the user could fetch a news website, and neither the news website or the website's ISP would have any idea if the user had ever made contact before. [2]

In contrast, the imperfect scenario results when software is used incorrectly, like when stock Firefox is used over the Tor network instead of the "Tor-safe" Tor Browser. The unfortunate Firefox user still protects their original connection (IP address / location) from discovery, but an identifier (like cookies) can be used to make that connection pseudonymous. For example, the destination website could log "user with id 111222333444 viewed Video Title A at Time B on Date C and Video Title D at Time E at Date F." This information can be used for profiling, which over time becomes more comprehensive. The anonymity set is gradually reduced, and in the worst case leads to de-anonymization.

As soon as a user logs into a website with a username for activities like forum posting or webmail, the connection is by definition no longer anonymous, but pseudonymous. The origin of the connection (IP address / location) is still hidden, but the connection can be associated with an identifier [1]; in this case, an account name. Identifiers can be used to keep a log of various things: when a user wrote something, the date and time of login and logout, what a user wrote and to whom, the IP address used (useless if it is a Tor exit relay), the recorded browser fingerprint and so on.

Maxim Kammerer, developer of Liberté Linux [3], has disparate ideas on anonymity and pseudonymity which should not be withheld from the reader: [4]

I have not seen a compelling argument for anonymity, as opposed to pseudonymity. Enlarging anonymity sets is something that Tor developers do in order to publish incremental papers and justify funding. Most users only need to be pseudonymous, where their location is hidden. Having a unique browser does not magically uncover user's location, if that user does not use that browser for non-pseudonymous activities. Having good browser header results on anonymity checkers equally does not mean much, because there are many ways to uncover more client details (e.g., via Javascript oddities).

Based on the preceding information, the table below outlines unrecommended behavior.

Table:Dangerous Anonymity Mode Combinations

Combination

Example

Anonymity modes 1 + 2

If the user has an instant messenger or email account and uses that via mode 1, it is inadvisable to use the same account for mode 2. The reason is the user is mixing absolute anonymity (mode 1) with selective anonymity (mode 2; since the recipient knows the user).

Two or more modes inside the same Tor session

Using an encrypted chat application over Tor and then posting in the Whonix ™ forum without rotating Tor circuits. If the modes share the same Tor exit relay, this could lead to identity correlation.

Two or modes inside the same Whonix-Workstation ™

Using the same Whonix-Workstation ™ for encrypted email as well as posting to a Tor Project mailing list. If the workstation is compromised, this leads to identity correlation.

Other combinations

Combining other modes may also be dangerous and could lead to the leakage of personal information or the user's physical location.

De-anonymization is not only possible with connections / IP addresses, but also via social threats. A number of sane recommendations suggested by Anonymous to avoid de-anonymization are listed below. Users should not:

Include personal information or interests in nicknames.

Discuss personal information like location, age, marital status and so on. Over time, discussions about something inane like the weather could lead to an accurate idea of the user's location.

Not set up Anti-evil Maid[archive] protection for their computer (despite the presence of a Trusted Platform Module), because research reveals that attackers can sometimes recover private keys from digital signature schemes. [8]

Use less-researched, unproven, proprietary networks in preference to Tor, due to known vulnerabilities such as end-to-end correlation attacks.

It is illogical to bypass long-studied and robust security mechanisms due to perceived failings, particularly if the user is not an expert in the area under consideration such as Tor routing, full disk encryption, and so on -- do not let the perfect be the enemy of the good. Computer software and hardware solutions will always remain imperfect, but steady, incremental improvements are occurring over time. It is a mistake to confuse the openness and understanding of developers / engineers who highlight shortcomings and then determine the software or hardware under discussion is irredeemable.

The longer the same pseudonym is used, the higher the probability that mistakes are made which reveal the user's identity. Once this occurs, an adversary can go back and link all activity related to the pseudonym. As a precaution, regularly create new identities and stop using old ones.

On a typical computer system, logs will be generated by the host or virtual operating systems, applications, and other background processes. Each of the log entries records a variety of detailed information about system and network activity. Configuration files can also reveal details that degrade privacy. Depending on the log or configuration file in question, this may include: [9][10][11]

Host IP addresses.

Boot-time information.

Specific locations where information originates like messages or emails.

Logs are a useful tool for debugging or to better understand how well applications are running on a system. However, if a user is considering posting system logs when requesting assistance, then it should be carefully curated rather than posted in full. Similarly, it is dangerous to post full configuration files, for example, torrc files that reveal full bridge information. If this advice is ignored, the user may be inadvertently de-anonymized or might otherwise provide details that aid an adversary to attack their system.

Users often post screenshots[archive], screen captures, or photographs of their entire desktop, without considering the privacy implications or potential metadata that is attached to the image. Depending on what is visible in the picture, this may reveal the user's operating system, timezone, username, documents, software packages and other sensitive information. [12] If meta tags are not removed, particularly from photographs, then EXIF[archive]data[archive] could result in a significant reduction in the user's anonymity set, or in the worst case scenario lead to de-anonymization.

Photographs with digital cameras may also reveal additional information due to screen reflections, visible objects outside of the screen, the amount of visible light (indicating the likely time of day or night), and possibly fingerprints left on the screen itself. At a minimum, any uploaded images should be sanitized with the Metadata Anonymisation Toolkit or other other tools.

As already explained on the Warning page, Tor exit relays can eavesdrop on communications and man-in-the-middle attacks are possible, even with HTTPS. Using end-to-end encryption is the only way to send sensitive data to a recipient without it being potentially intercepted and disclosed to hostile third parties.

Managing contextual identities online is increasingly difficult and fraught with mistakes. Different online identities can be easily correlated if used simultaneously, since Tor may reuse circuits in the same browsing session or information could potentially leak from Whonix-Workstation ™. Whonix ™ does not magically separate different contextual identities.

Websites such as Google, Facebook and others will ask for a (mobile) phone number if attempting to login over Tor. Unless the user is really clever or has an alternative, this information should not be provided.

Any phone numbers that are provided will have already been logged. The SIM card is most likely registered in the user's name. Even if this is not true, receiving an SMS gives away the user's location. Users can try to anonymously buy a SIM card far away from their usual home address, but there is still a risk: the phone itself. Each time the phone logs into the mobile network, the provider will log the SIM card serial number [13]and the phone serial number. [14] If the SIM card is bought anonymously, but not the phone, it is not anonymous because these two serials will get linked.

If a user really wants to do mobile verification, then a location far away from home is recommended, along with a fresh phone and a new SIM card. Afterwards, the phone must be turned off, and immediately both the phone and the SIM card should be completely destroyed. This may necessitate burning the items or other inventive (guaranteed) methods of destruction.

Users could try to find an online service that will receive a personal SMS on their behalf. That would work and would be anonymous. The problem is this method will probably not work for Google and Facebook, because they actively blacklist such numbers for verification. Another option is trying to find someone else to receive the SMS for you, but that would only shift the risk to the other person. [15]

Connect to a Server Anonymously and Non-anonymously at the Same Time[edit]

It is strongly recommended against creating Tor and non-Tor connections to the same remote server at the same time. In the event the internet connection breaks down (and it will eventually), all the connections will break simultaneously. Following that event, it is easy for an adversary to determine which public IP address / location belongs to which Tor IP address / connection, potentially identifying the user directly.

This scenario also enables another form of attack by web servers. The speed of either the non-Tor or Tor connection can be increased or decreased, to see if there is a correlation. That is, if either connection gets faster or slower in unison, then the relationship between a non-Tor and Tor link can be established.

License of "Do not connect to any server anonymously and non-anonymously at the same time!": [7]

If the user is sent any type of file or a link to the file (or a random internet URL/resource), either by email or another method, caution is recommended regardless of the file format. [16] That sender, mailbox, account, or key could be compromised and the file or link may have been prepared to infect the user's system when opened with a standard application. It is also feasible that files such as PDFs may leak a range of system data or have embedded tracking code which is activated when opened in a Internet-connected VM.

It is safer not to open the file with the default tool that is expected by the file's creator. For example, a PDF should not be opened with a PDF viewer, or if the content is public, a free online PDF viewer could be used. Greater security would involve sanitizing the PDF in Qubes-Whonix ™, or opening the file or link in a DisposableVM so that it cannot compromise the user's platform. Even better, the computer can also be physically disconnected from the Internet or VM network access disabled before opening it.

It is best to avoid visiting personal websites where either real names or pseudonyms are attached, particularly if they have ever been tied to a non-Tor connection / IP address. Very few people are likely to visit your personal website over Tor, meaning the user may be the only unique Tor client to do so.

This behavior leads to weak anonymity because once the website is visited the Tor circuit is "dirty". If the site is not popular and does not receive much traffic, the Tor exit relay can be fairly certain that the visiting individual is the user. After that point, it can be reasonably assumed that further connections originating from that Tor exit relay also come from the user's machine.

Always assume that each time a website is visited, logging by the destination server will include: [19]

Client IP address / location.

Request date and time.

Specific webpages requested.

HTTP code.

Number of bytes served to the user.

The user's browser agent.

The referring website (referrer).

Also assume that the Internet Service Provider (ISP) will at a minimum log total online time and the client IP address / location. The ISP may also log the IP address / location of visited destinations, how much traffic (data) was generated, and what was sent and retrieved. Unless Internet traffic is encrypted, the ISP will be able to see exactly what activities were performed, and the information sent or received.

The following tables provide a simplified overview of how those logs may appear to administrators.

It is clear that uniform logging by websites and ISPs enables the user's activities and interests to be easily determined.

An account is compromised and tied to the user if even a single login originates from a non-Tor connection / IP address. Singular mistakes are often fatal and have led to the downfall of many "anonymous" users.

Logging into banking, PayPal, eBay or other important financial accounts registered in the user's name is not recommended. Where money is involved, use of Tor risks the account being suspended due to "suspicious activity" by the fraud prevention system. The reason is hackers sometimes use Tor for committing fraud.

Using Tor with online banking and payment accounts is not anonymous for reasons already outlined. It is pseudonymous and only offers location privacy and a circumvention method in the event access to the site is blocked by the ISP. The difference between anonymity and pseudonymity is covered in an earlier section.

If a user is blocked, in many cases the service's support division can be contacted in order to have the account unblocked. Some services will even allow the fraud protection policy to be relaxed for the user's account.

Whonix ™ developer Patrick Schleizer is not opposed to using Tor for circumvention and/or location privacy. However, the user should appreciate that banking or other online payment accounts risk getting (temporarily) suspended. Other outcomes are also possible (service bans, account deletion and so on) as mentioned in warnings on this page and throughout the Whonix ™ documentation. Users who are aware of the risks and who feel comfortable using Tor in their personal circumstances are of course free to ignore this advice.

Do not login to personal Facebook or other social network accounts over Tor. Even if a pseudonym is used instead of a real name, the account likely has linked friends who know the account's true owner. As a result, the social network can reasonably guess who the user really is.

No anonymity solution is perfect. Online anonymity software may reliably hide IP addresses and location data, but Facebook and similar corporations do not need this information. Social networks already know: who the user is, associated friends, the content of "private" messages sent and so on. This data is at least stored on social network servers, and no kind of software can delete it. Only social networking platforms and hacking groups could remove it. [21]

Users who log into personal Facebook and other accounts only get location privacy, but not anonymity.

Restrict the logged in time for Twitter, Facebook, Google and any other account-based services (like web forums) to the absolute minimum required. Immediately log out after reading, posting, blogging and other tasks are complete. Following log out, it is safest to then shut down Tor Browser, change the Tor circuit using a Tor Controller, wait for 10 seconds until the circuit has changed and then restart Tor Browser. For better security follow the recommendations to use multiple VM Snapshots and/or use multiple Whonix-Workstation ™s.

This behavior is necessary because many websites include one or more of the many integration buttons, such as Facebook's "Like" button and Twitter's "Tweet This". [23] In fact, in the top 200,000 Alexa websites, Facebook and Twitter social widgets are included in around 47% and 24% of those, respectively. Google third-party web services are included in around 97% of the same sample, mainly comprising Google analytics, advertisements and CDN services (googleapis.com). [24][25] If a user is still logged into a service, those buttons tell the originating service that the website was visited. [26]

The danger of third-party resources to privacy should not be underestimated: [27][28]

Every time a user’s browser is instructed to fetch a third-party resource, that third-party server is given the ability to deliver tracking scripts and associate the first-party website with the bearer of third-party cookies and browser fingerprints. This tracking of online behavior allows for the construction of increasingly detailed user profiles, including sensitive information such as a user’s political views and medical history.

It is usually safe to change user interface settings for applications which do not connect to the internet. For example, checking a box like "Don't show any more daily tips" or "Hide this menu bar" will have no effect on anonymity.

Before changing any settings you are interested in, first read the Whonix ™ documentation. If the change is documented and recommended against, then try to persevere with the defaults. If the change is undocumented, then carefully research the proposed action before proceeding.

Changing settings for applications which connect to the internet (even user interface settings) should be thoroughly reviewed. For example, removing a menu bar or maximizing the screen in Tor Browser is recommended against. The latter is known to modify the detectable screen size, which worsens the user's web fingerprint.

Modification of network settings should only be undertaken with great care, and if the consequences are known. For example, users should avoid all advice pertaining to "Firefox Tuning". If the settings are believed to be sub-optimal, then changes should be proposed upstream so they change for all Tor Browser users with the next release. For a comprehensive list of unsafe Tor Browser habits, see here.

When a transparent proxy is used (like in Whonix ™), it is possible to start a Tor session from the client as well as from the transparent proxy, creating a "Tor over Tor" scenario. This happens when installing Tor inside Whonix-Workstation ™ or when using Tor Browser without configuring it to use a SocksPort instead of the TransPort. This is covered in further detail in the Tor Browser entry.

Doing so produces undefined and potentially unsafe behavior. In theory, the user could get six hops instead of three in the Tor network. However, it is not guaranteed that the three additional hops received are different; the user could end up with the same hops, possibly in reverse or mixed order. The Tor Project opinion is that this is unsafe: [29]

We don't want to encourage people to use paths longer than this — it increases load on the network without (as far as we can tell) providing any more security. Remember that the best way to attack Tor is to attack the endpoints and ignore the middle of the path. Also, using paths longer than 3 could harm anonymity, first because it makes "denial of security" attacks easier, and second because it could act as an identifier if only a few people do it ("Oh, there's that person who changed her path length again").

Users can manually choose an entry or exit point in the Tor network, [30] but the best security relies on leaving the route (path) selection to Tor. Overriding the choice of Tor entry and/or Tor exit relays can degrade anonymity in ways that are not well understood. Therefore, Tor over Tor configurations are strongly discouraged.

Do Use Bridges if Tor is Deemed Dangerous or Suspicious in your Location[edit]

This recommendation comes with an important caveat, since Bridges are not a perfect solution: [31]

Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress an adversary might make in identifying Tor users. Using bridges might be advisable to prevent identification as a Tor user, but the Tor Project's bridges documentation[archive] is primarily focused on censorship circumvention, that is, overcoming attempts by ISPs or government to block Tor use.

Some users mistakenly think open Wi-Fi is a faster, safe "Tor alternative" since the IP address / location cannot be tied to their real name. For reasons explained below, it is better to use open Wi-Fi and Tor, but not open Wi-Fi or Tor.

The approximate location of any IP address can be estimated to the city, region or even street level. Even if a user is away from their home address, open Wi-Fi still gives away the city or approximate location since most people do not switch continents. The person running the open Wi-Fi router and their policies are also unknown variables. They could be keeping logs of the user's MAC address and linking it with the activity being sent in the clear through them.

While logging does not necessary break user anonymity, it does reduce the circle of suspects from the entire global population, a continent, or the country, down to a specific region. This effect strongly degrades anonymity. Users should always keep as much information as possible to themselves.

Using a non-Tor browser and Tor Browser at the same time runs the risk of confusing them at one point, and de-anonymizing yourself in the process. It is also risky to use clearnet and Tor at the same time because simultaneous, anonymous and non-anonymous server connections might be established.

Concurrent clearnet and Tor (Browser) connections are recommended against for several reasons. First, the user can never be certain when an identical page is visited anonymously and non-anonymously at the same time. The reason is only the URL is visible, not how many resources are fetched in the background. Second, many different websites are hosted in the same cloud and services like Google Analytics[archive] are present on most websites. This leads to at least one known data harvester seeing numerous anonymous and non-anonymous connections.

If this advice is disregarded, then it is safer to utilize at least two different desktops to prevent confusing one browser with another.

This page risks stating things that are obvious, but the question must be asked: "Obvious to whom?". The above points may only be common sense to developers, hackers, geeks and other people with technological skills.

The above-mentioned groups tend to lose contact with non-technical users. It is useful to sometimes read usability papers or the feedback from people who do not post on mailing lists or in forums. Consider the examples below:

In order to make sure the mobile phone frequencies are not being tracked, I would fill up a washbasin with water and put the lid of a rice cooker over my head while I made a phone call," said one interviewee, a 28-year-old man who left the country in November 2010.

↑But this information can be easily ascertained via ISP records which link Internet service accounts with a registered name and address. Alternatively, this information is leaked by the real (clearnet) IP address that was originally used to register for the service in the first place, since Tor registration is regularly blocked.

↑The former is unlikely to ever delete data, since profiling is the primary method of monetizing users with "free" accounts. Profiling is used for targeted advertising and to generate large user databases that can be on-sold for profit to third parties.

↑For example, Twitter's Tweet, Follow and embedded tweets are used to record browsing history[archive]. When a page is visited containing one or more of these, the browser makes a request to Twitter servers which contains a header informing of the site visited. A unique cookie allows Twitter to build a profile of browsing history, even if the user is not a Twitter user (for example, when Tor Browser is not used).

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.